Google's new privacy policy may violate EU rules

Google's new privacy policy appears to violate the European Union's data protection rules, France's regulator said today, just two days before the new guidelines are set to come into force.

GABRIELE STEINHAUSER

BRUSSELS — Google's new privacy policy appears to violate the European Union's data protection rules, France's regulator said today, just two days before the new guidelines are set to come into force.

Google announced its new privacy policy with much fanfare last month. The rules, which are set to come into force on Thursday, regulate how the Web giant uses the enormous amounts of personal data its collects through its search engine, email and other services.

However, the EU's data protection authorities are concerned about the privacy effects of the policy and earlier this month asked French regulator CNIL to investigate them.

“Our preliminary analysis shows that Google's new policy does not meet the requirements of the European Directive on Data Protection,” CNIL said in a letter to Google Chief Executive Larry Page. The letter was sent Monday and posted on CNIL's website today.

The agency said Google's explanation of how it will use the data was too vague and difficult to understand “even for trained privacy professionals.”

The new policy makes it easier for Google to combine the data of one person using different services such as the search engine, YouTube or Gmail if he is logged into his Google account. That allows Google to create a broader profile of that user and target advertising based on that person's interests and search history more accurately. Advertising is the main way Google makes its money.

However, CNIL said data protection authorities in the EU “are deeply concerned about the combination of personal data across services,” adding they had “strong doubts about the lawfulness and fairness of such processing.”

Vivian Reding, the EU's Justice Commissioner who oversees the bloc's data protection rules, said she welcomed CNIL's letter and called on Google to delay its new policy.

Google argues that combining the data into one profile makes search results more relevant and allows a user to cross-navigate between different services more easily. It says the main purpose of the new policy is to combine the more than 70 different rules for Google's wide-ranging services into one that is simpler and more readable.

“We are confident that our new simple, clear and transparent privacy policy respects all European data protection laws and principles,” Peter Fleischer, Google's global privacy counsel, wrote in response to CNIL's original letter, adding that users had more than a month to get familiar with the new rules.

Fleischer also rejected CNIL's reiterated request to delay the rollout of the privacy policy until all concerns have been cleared up.

“We have notified over 350 million authenticated Google users and provided highly visible notifications on our home page and in search results for our non-authenticated users,” he wrote. “To pause now would cause a great deal of confusion for users.”

The probe of the privacy policy is one of several battle lines between Google and the European Commission, the executive arms of the 27-country EU.

Google's search engine has a market share of more than 90 percent in the EU, with rival services like Microsoft's Bing gaining little traction.

The Commission is already examining whether Google uses this dominance to stop other search engines from entering the market. It is also investigating complaints from Microsoft and Apple into whether Motorola, which Google is in the process of taking over, is breaking EU competition rules in its aggressive enforcement of standard-essential patents.